Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

CVEs (881)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-50504 - - Apr 23, 2026 Oct 30, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in webxmedia Bulk Change Role bulk-role-change allows Privilege Escalation.This issue affects Bulk Change Role: from n/a through <= 1.1.
CVE-2024-50550 1Litespeedtech 1Litespeed Cache Apr 23, 2026 Oct 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from n/a through <= 6.5.1.
CVE-2024-50485 - - Apr 23, 2026 Oct 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Udit Rawat Exam Matrix exam-matrix allows Privilege Escalation.This issue affects Exam Matrix: from n/a through <= 1.5.
CVE-2024-50481 - - Apr 23, 2026 Oct 29, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in stackthemes Bstone Demo Importer bstone-demo-importer allows Privilege Escalation.This issue affects Bstone Demo Importer: from n/a through <= 1.0.1.
CVE-2024-47904 1Siemens 2Intermesh 7177 Hybrid 2.0 Subscriber Intermesh 7707 Fire Subscriber Firmware Oct 30, 2024 Oct 23, 2024 8.5 HIGH· v4 7.8 HIGH· v3 N/A· v2 A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default c...Show more A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The affected devices contain a SUID binary that could allow an authenticated local attacker to execute arbitrary commands with root privileges.Show less
CVE-2024-49608 1Gerryntabuhashe 1Gerryworks Post By Mail Apr 23, 2026 Oct 20, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in gerryworks GERRYWORKS Post by Mail gerryworks-post-by-mail allows Privilege Escalation.This issue affects GERRYWORKS Post by Mail: from n/a through <= 1.0.
CVE-2024-49322 - - Apr 29, 2026 Oct 17, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in CodePassenger Job Board Manager for WordPress jemployee allows Privilege Escalation.This issue affects Job Board Manager for WordPress: from n/a through <= 1.0.
CVE-2024-49219 1Themexpo 1Rs Members Apr 29, 2026 Oct 17, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in themexpo RS-Members rs-members allows Privilege Escalation.This issue affects RS-Members: from n/a through <= 1.0.3.
CVE-2024-49217 1Madirisalmanaashish 1Adding Drop Down Roles In Registration Apr 29, 2026 Oct 17, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in madiriaashish Adding drop down roles in registration user-drop-down-roles-in-registration allows Privilege Escalation.This issue affects Adding drop down roles in registrat...Show more Incorrect Privilege Assignment vulnerability in madiriaashish Adding drop down roles in registration user-drop-down-roles-in-registration allows Privilege Escalation.This issue affects Adding drop down roles in registration: from n/a through <= 1.1.Show less
CVE-2024-9863 - - Apr 8, 2026 Oct 17, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_rol...Show more The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled.Show less
CVE-2024-9180 2Hashicorp Openbao 2Openbao Vault Dec 31, 2025 Oct 10, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault...Show more A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.Show less
CVE-2024-9519 1Wpuserplus 1Userplus Oct 15, 2024 Oct 10, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 The UserPlus plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'save_metabox_form' function in versions up to, and including, 2.0. This makes it possible f...Show more The UserPlus plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'save_metabox_form' function in versions up to, and including, 2.0. This makes it possible for authenticated attackers, with editor-level permissions or above, to update the registration form role to administrator, which leads to privilege escalation.Show less
CVE-2024-48941 1Syracom 1Secure Login Oct 11, 2024 Oct 10, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to bypass 2FA by interacting with the /rest endpoint of Jira, Confluence, or Bitbucket. In the default con...Show more The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to bypass 2FA by interacting with the /rest endpoint of Jira, Confluence, or Bitbucket. In the default configuration, /rest is allowlisted.Show less
CVE-2024-47653 1Shilpisoft 1Client Dashboard Oct 16, 2024 Oct 4, 2024 7.1 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 This vulnerability exists in Shilpi Client Dashboard due to lack of authorization for modification and cancellation requests through certain API endpoints. An authenticated remote attacker could exploit this vulnerabilit...Show more This vulnerability exists in Shilpi Client Dashboard due to lack of authorization for modification and cancellation requests through certain API endpoints. An authenticated remote attacker could exploit this vulnerability by placing or cancelling requests through API request body leading to unauthorized modification of requests belonging to the other users.Show less
CVE-2024-25660 1Nokia 1Transcend Network Management System Jul 3, 2025 Oct 1, 2024 N/A· v4 9.0 CRITICAL· v3 N/A· v2 The WebDAV service in Infinera TNMS (Transcend Network Management System) 19.10.3 allows a low-privileged remote attacker to conduct unauthorized file operations, because of execution with unnecessary privileges.
CVE-2024-25632 1Elabftw 1Elabftw Aug 15, 2025 Oct 1, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 eLabFTW is an open source electronic lab notebook for research labs. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A user...Show more eLabFTW is an open source electronic lab notebook for research labs. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A user may be an administrator in one team and a regular user in another. The vulnerability allows a regular user to become administrator of a team where they are a member, under a reasonable configuration. Additionally, in eLabFTW versions subsequent to v5.0.0, the vulnerability may allow an initially unauthenticated user to gain administrative privileges over an arbitrary team. The vulnerability does not affect system administrator status. Users should upgrade to version 5.1.0. System administrators are advised to turn off local user registration, saml_team_create and not allow administrators to import users into teams, unless strictly required.Show less
CVE-2024-46511 - - Oct 4, 2024 Sep 30, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 LoadZilla LLC LoadLogic v1.4.3 was discovered to contain insecure permissions vulnerability which allows a remote attacker to execute arbitrary code via the LogicLoadEc2DeployLambda and CredsGenFunction function.
CVE-2024-46540 1Emlog 1Emlog Jun 17, 2025 Sep 30, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 A remote code execution (RCE) vulnerability in the component /admin/store.php of Emlog Pro before v2.3.15 allows attackers to use remote file downloads and self-extract fucntions to upload webshells to the target server,...Show more A remote code execution (RCE) vulnerability in the component /admin/store.php of Emlog Pro before v2.3.15 allows attackers to use remote file downloads and self-extract fucntions to upload webshells to the target server, thereby obtaining system privileges.Show less
CVE-2024-9082 1Oretnom23 1Online Eyewear Shop Sep 30, 2025 Sep 22, 2024 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Users.php?f=save of the component User Creatio...Show more A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Users.php?f=save of the component User Creation Handler. The manipulation of the argument Type with the input 1 leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-22303 - - Sep 26, 2024 Sep 17, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in favethemes Houzez allows Privilege Escalation.This issue affects Houzez: from n/a through 3.2.4.

Previous 1...353637...45 Next